Art and design

Books

Culture

Environment

Fashion

Film

Life and style

Money

Music

Politics

Science

Technology

Travel

Television

US news

World news

Your iPhone's password demands aren't just annoying. They're a security flaw

Apple’s constant request for your password could make it easy miscreants to steal it via phising, a developer has warned.
Apple’s constant request for your password could make it easy for rogue developers to steal it via phising. Photograph: Samuel Gibbs for the Guardian

The iPhone’s habit of repeatedly requesting your Apple ID password with little explanation or warning isn’t just annoying – it’s also a security flaw which could allow attackers to craft extremely convincing phishing attacks, an iOS developer has warned.

Regular users of iPhones or iPads will be used to sporadic requests from the operating system to enter their Apple ID password, popping up in the middle of other activities and preventing them from continuing until they accede to the request.

It can be frustrating, particularly if the password is long and complex, and it can often be hard to work out why, precisely, the device needs your credentials. But according to developer Felix Krause, the incessant requests are more than just an irritation.

“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, eg when they want to access iCloud, GameCenter or in-app purchases,” Krause said.

“This could easily be abused by any app, just by showing [an alert] that looks exactly like the system dialogue. Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.”

Apple’s standard alerts look identical to those that normal developers can present, Krause noted, which means a well-crafted phishing pop-up could present absolutely no visual warnings that something “phishy” was afoot.

Apple declined to comment.

As currently constituted, there is only one way a user can be certain that the request for a password comes from Apple and not a rogue app, Krause said: hit the home button before entering the password. That’s because only Apple itself can respond to home button inputs. Any other app will be forced to close, and with it, the fake pop up.

There is no evidence Krause’s suggestion has been implemented in practice by any unscrupulous developer, and to use it for an effective phishing attack still has two further hurdles to overcome: the app must make it past Apple’s reviewers to get on the App Store, and the developer must convince users to install it.

Nonetheless, the problem faced by Apple is one that many other software developers have had to tackle over the years. “Security overload”, or the risk that users become so overwhelmed by security features that they actually create insecurity, is a long-running problem.

Famously, Windows Vista launched with a feature called User Account Control, which was intended to prevent rogue programs from taking over an infected computer. But in practice, it meant that the operating system interrupted the user to ask permission almost every time any program wanted to do anything. That meant users rapidly learned to simply click continue without reading the dialogue, undoing any security progress and eventually forcing Microsoft to replace the feature entirely in Windows 7.

Even before then, however, Microsoft had solved one of the problems that currently affects iOS. In its versions of Windows for business customers, it came up with an ingenious way to ensure that malware couldn’t ask for a user’s password: the real login screen on those versions of Windows can only be accessed by using a keyboard command, control-alt-Delete, that only Microsoft is able to respond to.

It’s the same idea as Felix Krause’s suggestion to hit the home button before entering passwords, except it was implemented almost 20 years ago. The more things change, the more they stay the same.

This article titled "Your iPhone's password demands aren't just annoying. They're a security flaw" was written by Alex Hern, for theguardian.com on Thursday 12 October 2017 11.17am

Technology

Tim O’Reilly: ‘Generosity is the thing that is at the beginning of prosperity’

Tim O’Reilly believes we need to have a reset. This means more coming from him than it does from… Read more

Lyft taxi app boosted by $1bn investment from Google-led consortium

The US ride-hailing company Lyft has secured a $1bn (£760m) investment from a Google-led… Read more

Tesla workers claim anti-LGBT threats, taunts, and racial abuse in lawsuits

Soon after he started working on the assembly line at Tesla, Jorge Ferro said he was taunted for… Read more

Games reviews roundup: Mario & Luigi: Superstar Saga; Knack 2; Ruiner

Mario & Luigi: Superstar Saga + Bowser’s Minions Nintendo 3DS; cert: 3 ★★★★ The game that… Read more

Is Richard Branson’s high-speed train in a pneumatic tube pie in the sky?

Last week, Richard Branson gave a boost to tech tycoon Elon Musk’s vision of a futuristic transport… Read more

As tech companies get richer, is it 'game over' for startups?

Facebook has been breathing down the neck of the group video-chat app Houseparty for over a year.… Read more

Tech giants face Congress as showdown over Russia election meddling looms

A showdown is looming in Washington between Congress and the powerful social media companies that… Read more

Nissan X-Trail review: ‘The dirtier it gets, the happier it is’ | Martin Love

Price: £24,845 Top speed: 116mph 0-62mph: 10.5 seconds MPG: 57.6 CO2: 129g/km Our city streets are… Read more

NBN a mistake, says Turnbull, blaming Labor for 'calamitous train wreck'

Malcolm Turnbull has labelled the national broadband network a mistake and blamed Labor for leaving… Read more

Google and Facebook under pressure after helping anti-refugee campaign

An anti-refugee campaign, Secure America Now, received targeted help from Facebook and Google to… Read more